As CNET's Elinor Mills reported, a group of security specialists called Goatse Security was able to trick an AT&T Web site into disclosing e-mail addresses of iPad users, including what Gawker described as "thousands of A-listers in finance, politics, and media."
In an interview with CBS News, Goatse analyst Jim Jeffers said, "There is this identifier--it's called an ICC-ID [Integrated Circuit Card Identifier]--and it's present on every SIM card on every cellular phone, and it's used as an authentication token. That means it would be sent to [the] AT&T Web site, and that's how AT&T recognized you as who you were, and it would spit out your personal information in the form of your e-mail address. One of the members of our organization figured out, well, why not just step through these, and with the help of some additional data that was recovered, they were able to successfully predict these identifiers from the iPad 3G and retrieve a very large chunk of personal information."
Although AT&T said only e-mail addresses were compromised, Jeffers said, "it will allow someone who does the proper research to possibly target iPad 3G users and take over their iPads, and they could sniff traffic, they could act as the user of the iPad."
The exploit, said Jeffers, "was almost discovered by accident. One of our employees is an iPad 3G subscriber, and he noticed it in the process of the normal user experience of this device. It was something he just noticed as he was using it."
Click below to listen to the podcast
Subscribe now: iTunes (audio) | RSS (audio)